diff --git a/deployment/stacks/traefik/docker-compose.yml b/deployment/stacks/traefik/docker-compose.yml
index c7b96d0b..464acd5f 100644
--- a/deployment/stacks/traefik/docker-compose.yml
+++ b/deployment/stacks/traefik/docker-compose.yml
@@ -54,7 +54,8 @@ services:
       
       # Global redirect to HTTPS (lower priority, matches everything else)
       # ACME challenges are excluded from redirect automatically by Traefik
-      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
+      # Explicitly exclude ACME challenge path to be safe
+      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`) && !PathPrefix(`/.well-known/acme-challenge`)"
       - "traefik.http.routers.http-catchall.entrypoints=web"
       - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
       - "traefik.http.routers.http-catchall.priority=1"